Fisher Mark wrote:
>
> 1) Authentication -- are you who you say you are?
> 2) Access Control -- are you allowed to perform this operation in this
> way?
> 3) Auditing -- just what was it that you did?
> 4) Encryption -- Is your data protected from prying eyes?
>
I would agree that 3 and 4 are out of scope. Defining #1 is
also out of scope, because there are many others working on that
components. Our role here should be to determine which #1
we are going to support.
The purpose of the Access Control document will be concerned
principally with #2.